FERC Enhances its Cybersecurity Initiative to These 5 Focus Areas
image credit: FERC Presentation Nov 21, 2019 https://www.ferc.gov/industries/electric/indus-act/reliability/cybersecurity/11-21-19-A-4-presentation.pdf
- Dec 3, 2019 12:58 pm GMTDec 2, 2019 11:10 pm GMT
- 2089 views
On November 21, 2019, FERC made an announcement concerning cybersecurity threats and electric infrastructure challenges, where they unveiled five areas of focus. In addition, FERC announced organizational changes within the Office of Energy (OEP) and the Office of Electric Reliability (OER) that will better serve grid security and cybersecurity concerns.
Pulling from the experience and knowledge of each of the relevant offices, a FERC staff presentation on November 21st identified five key areas where Commission staff will strategically and collectively focus efforts to address critical cybersecurity challenges.
Based on FERC’s reviews of recent threat reports, the cybersecurity climate concerning global events, NERC CIP standards and other recent developments in the industry, the commission staff has designated the following five focus areas:
- Supply Chain/Insider Threat/Third Party Authorized Access: Starting next year, new mandatory supply chain risk controls will take effect. The new standards, referred to as Supply Chain Standards, consist of new Reliability Standard CIP-013–1 and revised Reliability Standards CIP-010–3 and CIP-005–6. They become effective 60 days after publication in the Federal Register and will be implemented over 18 months. The commission said the transition was needed because compliance will likely require technical upgrades, with implications for capital budgets and planning cycles that have longer time horizons.
- Industry Access to Timely Information on Threats and Vulnerabilities: FERC recognized that many entities have limited threat intelligence capabilities and access to information on threats, vulnerabilities, and an entity-wide process for risk mitigation. FERC recommends improving access to vulnerability and threat information in order to minimize response and remediation time and reduce the risk of disruption.
- Cloud/Managed Security Service Provider: This focus area recognizes that managed security of SaaS services can provide substantial operational and security benefits to entities if deployed in a secure manner. As currently written, the existing CIP reliability standards do not account for the use of cloud services in operating the grid and protecting the IT infrastructure, which could prevent utilities from leveraging these products and the enhanced security and efficiencies they provide.
- Adequacy of Security Controls: FERC acknowledges that there are many assets connected to Commission jurisdictional facilities that are subject to either minimal or no mandatory cybersecurity controls. While Low Impact BES Cyber Systems (BCS) make up the majority of BES cyber assets, there are very few mandatory security controls required for these assets. While Low Impact BES Cyber Systems have a lower impact on the BES, the simultaneous loss or degradation in a large number of these systems could have a significant aggregate effect. In addition, many Commission jurisdictional hydroelectric facilities connect to Low Impact BCS facilities that are not subject to high levels of mandatory security controls. Likewise, natural gas pipelines are not subject to mandatory cybersecurity controls, but the disruption of these pipelines could still have a significant impact on the BES.
- Internal Network Monitoring and Detection: Mandatory monitoring and detection are not currently required for internal networks under the NERC CIP standards. This focus area underscores the risk of inattentive internal monitoring practices, especially if a hacker has already breached a network and remains undetected by the entity.
Commission staff also discussed several organizational changes aimed at bolstering the agency’s cybersecurity resources. The OEP’s Division of Dam Safety and Inspections established a new security-focused group that will address both cybersecurity and physical security concerns at jurisdictional hydropower facilities. The new group’s responsibilities will include performing special cyber and physical inspections, conducting security and vulnerability surveys, and serving as the lead on the resolution of cyber and physical issues under FERC’s Dam Safety Program. In addition, OER has been organizationally realigned to include a new division focused exclusively on cybersecurity.
Compliance Central Enterprise Management Software:
With a highly versatile NERC compliance management system that links and organizes compliance standards and risk data with schedules, tasks as well as activities, compliance requirements, evidence from every area of the organization an entity would better improve their capabilities of staying vigilant concerning the mentioned focus areas. In addition, if the same system was to be integrated with a patch management system that maintains asset baseline including information on software, firmware, patches, and open ports an entity can centralize critical information making them better equipped to adjust to the constant enhancing of industry standards and maintain reliability.